ci: improve token handling and workflow permissions

promhippie · Oct 31, 2023 · 0f752f3 · 0f752f3
1 parent cd3fc1c
commit 0f752f3
Show file tree

Hide file tree

Showing 7 changed files with 117 additions and 18 deletions.
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -0,0 +1,49 @@
+---
+name: automerge
+
+"on":
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+
+    steps:
+      - name: Generate token
+        id: token
+        uses: tibdex/github-app-token@v2
+        with:
+          app_id: ${{ secrets.TOKEN_EXCHANGE_APP }}
+          installation_retrieval_mode: id
+          installation_retrieval_payload: ${{ secrets.TOKEN_EXCHANGE_INSTALL }}
+          private_key: ${{ secrets.TOKEN_EXCHANGE_KEY }}
+          permissions: >-
+            {"contents": "write", "pull_requests": "write", "issues": "write"}
+
+      - name: Fetch metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Approve request
+        id: approve
+        run: gh pr review --approve "${{github.event.pull_request.html_url}}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable automerge
+        id: automerge
+        run: gh pr merge --rebase --auto "${{github.event.pull_request.html_url}}"
+        env:
+          GH_TOKEN: ${{ steps.token.outputs.token }}
+
+...
diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml
@@ -2,10 +2,19 @@
 name: binaries
 
 "on":
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
   push:
+    branches:
+      - master
     tags:
       - v*
 
+permissions:
+  contents: write
+
 jobs:
   binaries:
     runs-on: ubuntu-latest
@@ -31,6 +40,7 @@ jobs:
 
       - name: Sign release
         id: gpgsign
+        if: startsWith(github.ref, 'refs/tags/')
         uses: actionhippie/gpgsign@v1
         with:
           private_key: ${{ secrets.GNUPG_KEY }}
@@ -51,7 +61,6 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         uses: ncipollo/release-action@v1
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           body: ${{ steps.changelog.outputs.generated }}
           artifacts: dist/*
 

diff --git a/.github/workflows/changes.yml b/.github/workflows/changes.yml
@@ -2,10 +2,17 @@
 name: changes
 
 "on":
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
   push:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     runs-on: ubuntu-latest
@@ -29,6 +36,7 @@ jobs:
 
       - name: Commit changes
         id: commit
+        if: github.event_name != 'pull_request'
         uses: EndBug/add-and-commit@v9
         with:
           author_name: GitHub Actions
@@ -60,6 +68,7 @@ jobs:
 
       - name: Commit changes
         id: commit
+        if: github.event_name != 'pull_request'
         uses: EndBug/add-and-commit@v9
         with:
           author_name: GitHub Actions
@@ -91,6 +100,7 @@ jobs:
 
       - name: Commit changes
         id: commit
+        if: github.event_name != 'pull_request'
         uses: EndBug/add-and-commit@v9
         with:
           author_name: GitHub Actions

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -2,12 +2,20 @@
 name: docker
 
 "on":
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
   push:
     branches:
       - master
     tags:
       - v*
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -18,16 +26,20 @@ jobs:
           - platform: linux/386
             goos: linux
             goarch: 386
+            tags: netgo
           - platform: linux/amd64
             goos: linux
             goarch: amd64
-          - platform: linux/arm64
-            goos: linux
-            goarch: arm64
+            tags: netgo
           - platform: linux/arm/6
             goos: linux
             goarch: arm
             goarm: 6
+            tags: netgo
+          - platform: linux/arm64
+            goos: linux
+            goarch: arm64
+            tags: netgo
 
     steps:
       - name: Checkout source
@@ -46,6 +58,7 @@ jobs:
           GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goarch }}
           GOARM: ${{ matrix.goarm }}
+          TAGS: ${{ matrix.tags }}
         run: make generate
 
       - name: Run build
@@ -54,13 +67,13 @@ jobs:
           GOOS: ${{ matrix.goos }}
           GOARCH: ${{ matrix.goarch }}
           GOARM: ${{ matrix.goarm }}
+          TAGS: ${{ matrix.tags }}
         run: make build
 
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           images: |
             promhippie/scw-exporter
             quay.io/promhippie/scw-exporter
@@ -109,7 +122,7 @@ jobs:
         if: github.event_name != 'pull_request'
         with:
           registry: ghcr.io
-          username: ${{ github.actor }}
+          username: bothippie
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build image
@@ -128,6 +141,7 @@ jobs:
   manifest:
     runs-on: ubuntu-latest
     needs: docker
+    if: github.event_name != 'pull_request'
 
     steps:
       - name: Checkout source
@@ -138,7 +152,6 @@ jobs:
         id: hubTags
         uses: docker/metadata-action@v5
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           images: promhippie/scw-exporter
           tags: |
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
@@ -161,7 +174,6 @@ jobs:
         id: quayTags
         uses: docker/metadata-action@v5
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           images: quay.io/promhippie/scw-exporter
           tags: |
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
@@ -171,6 +183,7 @@ jobs:
 
       - name: Quay manifest
         id: quay
+        if: github.event_name != 'pull_request'
         uses: actionhippie/manifest@v1
         with:
           username: ${{ secrets.QUAY_USERNAME }}
@@ -182,9 +195,9 @@ jobs:
 
       - name: Ghcr tags
         id: ghcrTags
+        if: github.event_name != 'pull_request'
         uses: docker/metadata-action@v5
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
           images: ghcr.io/promhippie/scw-exporter
           tags: |
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
@@ -194,9 +207,10 @@ jobs:
 
       - name: Ghcr manifest
         id: ghcr
+        if: github.event_name != 'pull_request'
         uses: actionhippie/manifest@v1
         with:
-          username: ${{ github.actor }}
+          username: bothippie
           password: ${{ secrets.GITHUB_TOKEN }}
           platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6
           template: ghcr.io/promhippie/scw-exporter:VERSION-OS-ARCH
@@ -206,6 +220,7 @@ jobs:
   readme:
     runs-on: ubuntu-latest
     needs: docker
+    if: github.event_name != 'pull_request'
 
     steps:
       - name: Checkout source
@@ -214,6 +229,7 @@ jobs:
 
       - name: Hub readme
         id: hub
+        if: github.event_name != 'pull_request'
         uses: actionhippie/pushrm@v1
         with:
           provider: dockerhub
@@ -225,6 +241,7 @@ jobs:
 
       - name: Quay readme
         id: quay
+        if: github.event_name != 'pull_request'
         uses: actionhippie/pushrm@v1
         with:
           provider: quay

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -2,10 +2,17 @@
 name: docs
 
 "on":
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
   push:
     branches:
       - master
 
+permissions:
+  contents: write
+
 jobs:
   docs:
     runs-on: ubuntu-latest
@@ -28,6 +35,7 @@ jobs:
 
       - name: Deploy pages
         id: deploy
+        if: github.event_name != 'pull_request'
         uses: peaceiris/actions-gh-pages@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/general.yml b/.github/workflows/general.yml
@@ -2,13 +2,17 @@
 name: general
 
 "on":
-  push:
+  workflow_dispatch:
+  pull_request:
     branches:
       - master
-  pull_request:
+  push:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   testing:
     runs-on: ubuntu-latest
@@ -50,7 +54,7 @@ jobs:
 
       - name: Coverage report
         id: codacy
-        if: github.ref == 'refs/heads/master'
+        if: github.event_name != 'pull_request'
         uses: codacy/codacy-coverage-reporter-action@v1
         with:
           project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}

diff --git a/.github/workflows/kustomize.yml b/.github/workflows/kustomize.yml
@@ -2,13 +2,17 @@
 name: kustomize
 
 "on":
-  push:
+  workflow_dispatch:
+  pull_request:
     branches:
       - master
-  pull_request:
+  push:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   generate:
     runs-on: ubuntu-latest
@@ -17,14 +21,12 @@ jobs:
       - name: Checkout source
         id: source
         uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.BOT_ACCESS_TOKEN }}
 
       - name: Generate manifest
         id: kustomize
         uses: actionhippie/kustomize@v2
         with:
-          version: 4.4.0
+          version: 5.2.1
           path: deploy/kubernetes/
           target: deploy/kubernetes/bundle.yml